MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 a09b8f3482137394a421f6a96eaa3664f468ddfbcdf01651dae8fc0898e9a13e. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry



Threat unknown


Vendor detections: 12


Intelligence 12 IOCs YARA 16 File information Comments

SHA256 hash: a09b8f3482137394a421f6a96eaa3664f468ddfbcdf01651dae8fc0898e9a13e
SHA3-384 hash: baa3fe0662b233de30f918d775797dcd7269ff70f0a12b7ef87572a2fdd17177deb11a5b9f9ea28e89586bba206e2a1f
SHA1 hash: 1a716ea4ead1f0bb4110689494fa6fef7dc3cfad
MD5 hash: b31e9f2479f734538e6a378656f05ceb
humanhash: winner-four-saturn-cola
File name:SecuriteInfo.com.Trojan.Siggen32.45858.16591.23448
Download: download sample
File size:271'360 bytes
First seen:2026-07-04 07:33:43 UTC
Last seen:2026-07-04 08:37:41 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash ca192ca89afa647048bfa1f1c72dae0a
ssdeep 6144:FJHTrrdy4gptRY/6l6Zaoxf7rxyBNdOfUHJF:FJf5c2SlI5xfMBNA
TLSH T1F3447C4663E524F9E0B78238C9A54B46E771F8621330ABDF07A0865E1F233D1AD39B71
TrID 33.1% (.EXE) Win64 Executable (generic) (6522/11/2)
25.6% (.EXE) Win16 NE executable (generic) (5038/12/1)
10.4% (.ICL) Windows Icons Library (generic) (2059/9)
10.3% (.EXE) OS/2 Executable (generic) (2029/13)
10.1% (.EXE) Generic Win/DOS Executable (2002/3)
Magika pebin
Reporter SecuriteInfoCom
Tags:exe

Intelligence


File Origin
# of uploads :
2
# of downloads :
112
Origin country :
FR FR
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
b122fb13a9014410c09a8ae53d40979ad4c2f7903223563941aea3be50edf01f.zip
Verdict:
Malicious activity
Analysis date:
2026-06-26 16:30:09 UTC
Tags:
arch-exec loader stealer stealc solaris

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Verdict:
Malicious
Score:
99.9%
Tags:
ransomware dropper spoof virus
Result
Verdict:
Malware
Maliciousness:

Behaviour
Enabling the 'hidden' option for files in the %temp% directory
Creating a process from a recently created file
Сreating synchronization primitives
Creating a service
Loading a system driver
Creating a file in the %temp% directory
Enabling autorun for a service
Blocking the Windows Defender launch
Blocking the Windows Security Center launch
Forced shutdown of a system process
Changing the hosts file
Verdict:
Malicious
Threat level:
  10/10
Confidence:
100%
Tags:
amadey anti-debug anti-vm evasive exploit explorer lolbin microsoft_visual_cc mikey mpcmdrun overlay packed
Verdict:
Malicious
File Type:
exe x64
First seen:
2026-06-25T20:54:00Z UTC
Last seen:
2026-07-04T04:32:00Z UTC
Hits:
~100
Detections:
Trojan.Win32.BypassUAC.sb Trojan.Win32.Agent.xcelvu Trojan.Win32.Agent.sb Trojan.MSIL.BypassUAC.sb Trojan.Win64.Bypassuac.awn PDM:Trojan.Win32.Generic
Gathering data
Threat name:
Win64.Trojan.StealC
Status:
Malicious
First seen:
2026-06-26 01:47:41 UTC
AV detection:
18 of 24 (75.00%)
Threat level:
  5/5
Result
Malware family:
n/a
Score:
  8/10
Tags:
persistence
Behaviour
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Executes dropped EXE
Sets service image path in registry
Unpacked files
SH256 hash:
a09b8f3482137394a421f6a96eaa3664f468ddfbcdf01651dae8fc0898e9a13e
MD5 hash:
b31e9f2479f734538e6a378656f05ceb
SHA1 hash:
1a716ea4ead1f0bb4110689494fa6fef7dc3cfad
SH256 hash:
be495b5cd25cba230cc88aa99d34f2f7b70201b7047ae7a605950756acce215c
MD5 hash:
e57325406173324144960bbafbad6a11
SHA1 hash:
f9fde8480bb883016207f154dd473e56d629b36f
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures


MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:cobalt_strike_tmp01925d3f
Author:The DFIR Report
Description:files - file ~tmp01925d3f.exe
Reference:https://thedfirreport.com
Rule name:CP_Script_Inject_Detector
Author:DiegoAnalytics
Description:Detects attempts to inject code into another process across PE, ELF, Mach-O binaries
Rule name:DebuggerCheck__API
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:DebuggerCheck__QueryInfo
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Driver_Safetica
Author:Nikos 'n0t' Totosis
Description:Detects Safetica kernel driver.
Rule name:golang_bin_JCorn_CSC846
Author:Justin Cornwell
Description:CSC-846 Golang detection ruleset
Rule name:INDICATOR_SUSPICIOUS_EXE_RegKeyComb_DisableWinDefender
Author:ditekSHen
Description:Detects executables embedding registry key / value combination indicative of disabling Windows Defender features
Rule name:INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM
Author:ditekSHen
Description:Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Rule name:Malw_Solaris_Loader
Author:Nikos 'n0t' Totosis
Description:Detects Solaris Loader
Rule name:RemusStealer_DefenderKiller_Module
Author:burger
Description:Detects RemusStealer BypassUAC/Defender-killer companion module
Rule name:SUSP_XORed_Mozilla_Oct19
Author:Florian Roth
Description:Detects suspicious single byte XORed keyword 'Mozilla/5.0' - it uses yara's XOR modifier and therefore cannot print the XOR key. You can use the CyberChef recipe linked in the reference field to brute force the used key.
Reference:https://gchq.github.io/CyberChef/#recipe=XOR_Brute_Force()
Rule name:SUSP_XORed_Mozilla_RID2DB4
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research
Rule name:Sus_CMD_Powershell_Usage
Author:XiAnzheng
Description:May Contain(Obfuscated or no) Powershell or CMD Command that can be abused by threat actor(can create FP)
Rule name:ThreadControl__Context
Reference:https://github.com/naxonez/yaraRules/blob/master/AntiDebugging.yara
Rule name:Tool_CombinedWindowsDefKiller
Author:Nikos 'n0t' Totosis
Description:An EDR/AV process/services killer component utilizing code from WinDefenderKiller open-source project.
Rule name:VECT_Ransomware
Author:Mustafa Bakhit
Description:Detects activity associated with VECT ransomware. This includes registry modifications and deletions, execution of system and defense-evasion commands, suspicious API usage, mutex creation, file and memory manipulation, ransomware note generation, anti-debugging and anti-analysis techniques, and embedded cryptographic constants (SHA256) characteristic of this malware family. Designed for threat intelligence and malware detection environments.

File information


The table below shows additional information about this malware sample such as delivery method and external references.

Web download

Executable exe a09b8f3482137394a421f6a96eaa3664f468ddfbcdf01651dae8fc0898e9a13e

(this sample)

  
Delivery method
Distributed via web download

Comments